ORG responds to consultation on Communications Data Codes of Practice

Regulation of Investigatory Powers Act Consultation: Acquisition and Disclosure of Communications Data and Retention of Communications Data Codes of Practice

I. New Retention of Communications Data Code of Practice

General – unlawfulness of the parent legislation

1. The primary difficulty with the Code of Practice is that it further details the powers and duties contained in the Data Retention and Investigatory Powers Act 2014 (‘DRIPA’) and the Data Retention Regulations 2014 (‘DRR 2014’). This legislation is currently subject to judicial review proceedings seeking to demonstrate its unlawfulness. It is likely that the legislation is contrary to EU law and the European Convention on Human Rights. The Code of Practice cannot rectify the unlawfulness of the powers to which it relates.  

2. The Court of Justice of the EU (CJEU) found the Data Retention Directive[1] (DRD) invalidon 8 April 2014[2] on the grounds that it breached the fundamental human rights to privacy and protection of personal data under Articles 7 and 8 of the EU Charter of Fundamental Rights and Freedoms (the Charter). The Directive constituted “a wide-ranging and particularly serious interference with those fundamental rights, …without… being… limited to what is strictly necessary.” In the UK the Data Retention Regulations 2009 implemented the DRD. DRIPA has reintroduced the retention regime in the UK with only minor differences from the 2009 Regulations. 

3. DRIPA does not address several of the characteristics that the CJEU identified as rendering the regime disproportionate. Most significantly, DRIPA permits blanket retention. Retention notices are not person or crime specific. Despite the CJEU’s findings, DRIPA does not restrict retention for example to a particular time period, geographical area, or persons whose data would contribute to the prevention, detection or prosecution of serious offence.[3] It does not provide exceptions for communications subject to the obligation of professional secrecy.[4] Moreover, we know such obligations have been violated in practice. DRIPA does not empower an independent administrative or judicial body to make decisions regarding access to the data.[5] In addition DRIPA does not restrict use of the data to the prevention, detection or prosecution of precisely defined serious offences[6] or require the data in question to be retained within the European Union.[7] 

4. DRIPA is therefore highly unlikely to comply with the Charter of Fundamental Rights or the European Convention on Human Rights for the same reasons the DRD was not compliant. National legislation must comply with the Charter where it is implementing EU law. DRIPA is implementing EU law as it relies on the exceptions set out within Article 15 of the Directive[8]  on privacy and electronic communications (E-Privacy Directive).[9] As DRIPA fails to comply with the Charter it also fails to comply with Article 15 E-Privacy Directive and EU law generally. Open Rights Group and Privacy International have set out these arguments in an intervention in the judicial review proceedings.[10]

Specific provisions in the Code of Practice

1. Paragraph 1.9 of the Code of Practice states that: “The Home Office does not publish or release identities of CSPs subject to a data retention notice as to do so may identify operational capabilities or harm the commercial interests of CSPs under a notice.” We note that there is no requirement in DRIPA or the DRR 2014 to keep receipt of a notice secret. The fact that retention notices are not published makes it very difficult to monitor whether notices are being issued only where necessary and proportionate and whether retention periods are being varied for different types of data or whether all notices simply provide for a 12 month period. The case for transparency of the notices is made stronger by the fact that the notices require blanket retention affecting all customers, not targeted retention in respect of particular individuals.

6. Paragraph 2.5 states that “Section 2(8A) of RIPA, as inserted by DRIPA, clarifies the definition of telecommunications service to make clear that it includes companies who provide internet-based services, such as webmail.” This constitutes an amendment of the definition of telecommunications service and not simply a “clarification”. It extends the scope of the data retention and interception regimes to include: “any case where a service consists in or includes facilitating the creation, management or storage of communications transmitted, or that may be transmitted, by means of such a system”, which could include other services as well as webmail. Standard Web forum software (used all very commonly on small sites) includes facilities for private messaging, which means that all of these sites may fall within DRIPA. This appears to potentially extend the scope to thousands of websites. Given that anyone with some technical knowledge can run one of these forum sites, it also does not seem sensible to restrict the definition of CSP to “companies”.

7. Paragraph 2.6 discusses the definition of communications data. It states that the definition does not include the content of any communication. It should be noted that despite this, communications data enables a detailed and intimate picture of an individuals’ life to be developed. For example, the CJEU in DRI stressed that:

“27 Those data, taken as a whole, may allow very precise conclusions to be drawn concerning the private lives of the persons whose data has been retained, such as the habits of everyday life, permanent or temporary places of residence, daily or other movements, the activities carried out, the social relationships of those persons and the social environments frequented by them.”

8. Paragraph 3.27 notes that for subscriber data the starting point for the retention period is determined by the date at which the customer leaves the company or the data is changed. This could potentially be a very lengthy period and it is unclear why a period longer than 12 months is necessary (as noted by the Advocate General at paragraph 149 of his Opinion in DRI).

9. Paragraph 6.3 provides that in most cases data retained under a notice is stored in dedicated data retention and disclosure systems, which are securely separated by technical security measures (e.g. a firewall) from a CSP’s business systems. But paragraph 6.4 states that in some cases it will not be practical to create a duplicate of that data and CSPs will retain information in business or shared systems.This creates a risk that the retained data may be accessed and used for purposes other than those provided for in the legislation.

10. Paragraph 6.38 states that any breaches under relevant legislation, such as RIPA or the Privacy and Electronic Communications Regulations, should be notified in accordance with clear incident management processes and procedures, including an escalation path to senior management and the Home Office. Paragraph 6.39 states that any suspected or actual unauthorised disclosure or processing of data or information must also be reported in the same way. In our view both breaches of relevant legislation and unauthorised disclosure or processing (actual / suspected) should be notified to the ICO, not just the Home Office. Breaches of legislation outside the ICO’s remit should be notified to the relevant oversight body, for example the Interception of Communications Commissioner for RIPA. This is particularly true as the Code of Practice explains that:

• the DRR 2014 require that the Information Commissioner provides independent oversight of the integrity, security or destruction of data retained by virtue of DRIPA[11]; and
• the Information Commissioner may take enforcement action using powers under the Data Protection Act 1998 or other relevant data protection legislation should he establish instances of failure to comply with it[12].

11. In this respect we also note that the national security exemption in the Data Protection Act is so broad that it almost exempts the whole of the Act. For the Code of Practice to promote that there is real protection from the DPA overstates the level of protection available.

12. Paragraph 7.7 provides that any inspection reports published must be sufficiently redacted to protect the identities of the companies “because of the sensitivity of identifying which companies have received retention notices”. As discussed above, we note that there is no requirement in DRIPA or the 2014 Regulations to keep receipt of a notice secret. We believe the government should increase transparency around retention notices.

13. Paragraph 8.6 relates to the use of data by communications service providers and reads: “…If data is not also being retained for existing business purposes it cannot be used by CSPs for business purposes, for example marketing, if such a requirement is subsequently identified.”  We are strongly in favour of the inclusion of this paragraph, though it would be preferable if it were included in the legislation itself. We consider that it is an omission from DRIPA and the DRR 2014 that there is no explicit prohibition on the retained data being used by CSPs for other purposes. Paragraph 8.7 states that “In circumstances where a CSP identifies a specific purpose where access to retained data is in the interest of their customers, the company should discuss this issue with the Home Office on a case-by-case basis. This could include an investigation into fraudulent use of their services”. It should be made clear that Home Office would not allow CSPs to access the data for purposes such as marketing and analytics.

14. The Template Retention Notice at Schedule 1 includes: C) Period for which data is to be retained. It states: “Unless specified below data retained under this notice must be retained for a period of 12 months.”  The notice assumes a 12 month retention period unless otherwise specified, which suggests most data will be retained for 12 months rather than a shorter period, which is the same period for which it was retained under the old Data Retention Regulations 2009. The lack of tailored retention periods was one of the problems identified by the CJEU.[13] This was one of the issues that DRIPA claimed to rectify in order to comply with the EU ruling. For example, the Privacy Impact Assessment said:

“In meeting the European Court Judgment’s opinions where possible, the new legislation (in the form of primary legislation and supporting regulations) will go further in safeguarding human rights. These additional safeguards will include: … Amending the set period for which data is retained, from 12 months to a maximum of 12 months (allowing for shorter periods if there is lesser need).”[14]

II. Updated Acquisition and Disclosure of Communications Data Code of Practice

General

15. Protections and safeguards should be set out in legislation, rather than in Codes of Practice. If such safeguards are considered vital to protect human rights, the interests of justice and the rule of law, they should be given statutory force rather than being relegated to a code of practice.

Response to the list of key changes

•   Enhancing the operational independence of the authorising officer from the specific investigation for which communications data is required (paragraphs 3.11-3.15 and 3.25-3.27);

16. The Code of Practice provides for designated persons to be independent from operations for authorisations related to those operations. This is a minor improvement on the current position, but it does not go anywhere near far enough to ensure that the decision-maker is sufficiently independent. Judicial authorisation of all requests would ensure decisions regarding access to data are taken by an individual who is genuinely independent. The fact that it was necessary to make this change demonstrates the extreme lack of independent decision-making at present. 

•   Ensuring that where there may be concerns relating to professions that handle confidential or privileged information (e.g. lawyers or journalists), law enforcement should give additional consideration to the level of intrusion and must record such applications (paragraphs 3.72-3.74);

17. The giving of additional consideration by law enforcement and the recording of applications would not constitute adequate safeguards for privileged or confidential information. This change amounts to little more than record keeping. Judicial authorisation of requests for communications data would be a far more effective safeguard. Judicial authorisation should apply not only to requests relating to journalists or lawyers, but to all requests for communications data (as well as the interception of content). As discussed above, a requirement of judicial authorisation would provide genuinely independent decision-making.

18. Whilst the accessing of lawyers’ privileged communications and journalists’ source-revealing communications is particularly concerning, providing additional protection for these groups alone will not rectify the fundamental deficiencies in RIPA and DRIPA. Comprehensive reform is required. RIPA and DRIPA must be repealed and replaced by new comprehensive surveillance legislation that contains rigorous oversight mechanisms. RIPA is outdated, opaque and does not provide sufficient protection for communications data (as well as allowing mass interception of content to occur). As discussed above (see paragraphs 1 – 4), DRIPA is unlikely to be compliant with EU law or the European Convention on Human Rights.

19. Everyone, not only journalists, are entitled to a communications data retention and access regime that is compliant with human rights and in particular the right to privacy. As discussed above,analysis of communications data alone can create a complex picture of an individual’s life. Communications data should therefore be afforded the same protection as the content of communications. It should be subject to the same authorisation regime, which should be judicial authorisation. The CJEU identified the lack of an independent administrative or judicial body making decisions regarding access as one of the factors that rendered the Data Retention Directive in breach of fundamental rights (see paragraph 3 above). Access to communications data should only be allowed where it is strictly necessary and proportionate. A judge is best placed to decide whether this is the case.

20. If journalists are to be singled out for special protection it should be noted that they do not constitute a clear category and anyone publishing information may be considered as a journalist. Journalists are not limited to individuals employed by publications; they include freelance writers, and also include the writers of non-publications such as blogs and of aggregations of information such as those created with Storify and Tumblr. Perpetuating a pre-Internet understanding of “journalism” is itself to disregard rights. Again an independent judge should consider this issue and where the case is difficult to determine the judge should be able to seek advice from suitable independent experts. Similarly, the ICO has established that NGOs can also be covered by the journalistic exception in section 32 Data Protection Act.[15] The type of data being requested is important as well as the identity of the person communicating, for example whether it relates to sources or litigation.

21. The consultation document specifically requests views regarding additional safeguards, such as “a requirement to flag all applications for the communications data of those in professions that handle confidential information (e.g. lawyers and journalists) to the Interception of Communications Commissioner at his next inspection”. The consultation document notes it would particularly welcome views on whether the draft code sufficiently protects freedom of expression. We do not consider that the code is sufficiently protective at present. Whilst we would have no objection to the suggested measure, which would provide a small degree of additional protection, we remain of the view that the only way to provide adequate protection is to require judicial authorisation of all requests for communications data. This is the only way that privacy and freedom of expression will be adequately protected.

22.  Paragraph 3.72 states that: Communications data is not subject to any form of professional privilege – the fact a communication took place does not disclose what was discussed, considered or advised. This statement isincorrect. Communications data may attract legal privilege in the form of litigation privilege. It is not necessary for a communication to “disclose what was discussed, considered or advised” for litigation privilege to apply.Litigation privilege can exist in relation to any documents or communications which have been produced for the dominant purpose of obtaining advice in relation to litigation, obtaining or collecting evidence for the litigation, or obtaining information which may assist in obtaining or collecting such evidence.[16]If, in the normal course of litigation, a party requests disclosure of communications data, the request would be refused on the ground of litigation privilege. In this context communications data would include records of a lawyer contacting specific people, for example potential witnesses.[17]

•   Reflecting the additional requirements on local authorities to request communications data through a magistrate, and the National Anti-Fraud Network (paragraphs 3.75-3.77);

23. Paragraph 3.77 reflects the obligation on local authorities to seek judicial approval from a magistrate or sheriff for all requests for communications data. This requirement should be extended to all public authorities making requests for communications data.   

•   Setting out new record keeping requirements for public authorities (in response to recommendations by the Interception of Communications Commissioner to improve transparency) (paragraphs 6.1-6.8);

24. Increased transparency on the scale of surveillance is necessary. It is a positive step to require public authorities to keep more detailed records in the interests of transparency. In order to provide real transparency the Interception of Communications Commissioner should publish the data as fully as possible.

25. Paragraph 6.8states that “the Interception of Communications Commissioner will not seek to publish statistical information where it appears to him that doing so would be contrary to the public interest, or would be prejudicial to national security.”  This provides too wide a discretion to the Interception of Communications Commissioner to decide not to publish the statistics. Clearer guidance is needed on when the statistics will be published and when they will not.

26. One way of addressing this would be to divide the types of statistics into categories. The first category of statistics would be the most general and top level (such as the number of requests and the numbers approved and rejected as well as types of data requested). This data must always be published and there should be no public interest / national security exception, as such aggregate data would not damage national security and is essential in a democratic society. The second level of statistics would contain more granular information and should be subject to a presumption of publication and the Interception of Communications Commissioner would have to make a case for why they should not be published if he believes they should not be. We consider “public interest” is too vague a justification for not publishing; better reasons would be national security and jeopardizing ongoing investigations. Finally, the third category would be the most granular and specific information, for which the presumption would be reversed so that it would be expected the information would not be published. However, third parties should still have the ability to put forward arguments as to why some of that information could be published in certain circumstances.  

27. Aggregate information on the number of surveillance authorisation requests approved and rejected enables citizens to understand the scale of surveillance requests made and what proportion of these are determined to be necessary and proportionate. The published data should contain a disaggregation of the requests by service provider, including the investigation type and purpose.[18]

•   Aligning the code with best practice regarding responses to public emergency calls (999/112 calls) (paragraphs 5.5-5.30) and judicial co-operation with overseas authorities (paragraphs 7.13-7.15). 


28. We have no comments on the above listed paragraphs.

Other provisions of the Code of Practice

29.  Paragraph 1.5 of the Code of Practice states that Section 4 of DRIPA “clarified that communications data access powers under RIPA are exercisable in respect of those CSPs that provide a service to the United Kingdom from outside of the country.” This provision was not merely a clarification. It was a purported extension of the government’s powers in respect of accessing communications data (as well as interception). It imposes, for the first time in UK legislation, liability on foreign telecommunications operators for failing to comply with a data request (or interception warrant). It sets a dangerous precedent for other states to follow and encourages the development of a complex global web of demands, potentially bypassing Mutual Legal Assistance Treaties. It is unclear whether the provision is compliant with the “in accordance with the law” requirements of the ECHR and the Charter.